E-mail retention needs often conflict -- even among departments in the same company. A records management expert suggests seven steps to effective archiving.
When it comes to e-mail archiving practices, there is no shortage of advice. The trouble is, the guidance often conflicts, and one white paper's best practices are another expert's anathema. Even within one organization, perspectives on e-mail management can vary widely. The legal department sees e-mail as important to formulating its discovery response strategy. The IT shop has storage and security concerns. The compliance people have preservation and control issues. And end users want better access to e-mail to improve productivity. Reconciling the needs of all these constituencies makes it clear that one size seldom fits all in the world of e-mail.
Choosing the right course of action, then, is an important part of meeting compliance requirements, coping with the e-mail tsunami and being able to rely on e-mail records for evidentiary needs while also controlling costs. The key is to find common ground on which everyone can agree. Here's what to do:
E-Mail Archiving by the Book
Two publications will help explain issues and get your e-mail archiving programs off the ground: E-Mail Rules, by Nancy Flynn and Randolph Kahn, Esq., covers policies, security and legal issues surrounding e-mail in simple, conversational style. "Requirements for Managing Electronic Messages as Records" is a draft ANSI/ARMA International standard with recommended provisions for an electronic messaging policy. Both are available at www.arma.org.
1. Define what a message archive is. An e-mail archive is a repository kept in a non-production environment to provide secure retention of messages for compliance and operational purposes. It is not good policy to treat backups made for disaster recovery as archives. Trial attorneys note that companies that use backups to restore e-mails at users' request, or that keep backups for long periods of time, are more likely to have to search tapes in response to an opponent's discovery request. On the other hand, backups used solely for business continuity and routinely overwritten at short intervals say, 90 days or less have a fighting chance to be excluded from legal discovery. It makes sense to establish the difference between archives and backups in everyone's mind and in day-to-day practice.
2. Define which messages constitute business records. Not all messages are record quality. Transitory items, such as "thanks" messages, spam and employees' personal mail should not be kept. Besides the storage burden, e-mails that become part of federal investigations become publicly available: witness the 1.6 million Enron e-mails, many of them personal, now on the FERC Web site. Messages that are records generally pertain to business transactions, activities, operations, obligations or rights. It is these messages and their attachments that should be maintained in the archive.
3. Determine what content can and cannot be sent by e-mail. Most companies have determined that confidential, proprietary and attorney-client privileged information should not be conveyed or received via e-mail. Personal employee data, for example, can have privacy implications, particularly for firms that have subsidiaries or work with partners that operate in the European Union, where strict privacy rules are in place. The danger with proprietary or trade-secret information is that it can become public as part of patent or copyright infringement litigation. In some cases, attorney-client privilege can be lost if it is shown that the matter was disclosed to a third party, for example, through a cc on an e-mail.
4. Agree that retention is based on content, not age, size or employee role. First, recognize that e-mail is a transmission mechanism, not a unique record type with regard to retention. Message and attachment contents determine retention time according to predetermined schedules that govern all the company's records. Mailbox manager functionality that deletes messages based on message age and size is not compliant with required retention rules. Likewise, schemes that automatically save all e-mail based on the employee's job title are not a good idea. These are tantamount to labeling a physical box, "Jon Smith, VP of marketing" and storing that box long after Smith has left. It takes up valuable space, without hope of review, retrieval or disposal.
5. Recognize that native e-mail systems have little or no retention management functionality. Most e-mail systems retain messages on centrally controlled servers. Broad-brush e-mail deletion rules and mailbox size limitations often force users to file messages in personal folders on their hard drives (for example, as .pst files in Exchange) so that the messages remain accessible. Personal folders are problematic because they actually keep both .txt and .rtf versions of messages, requiring twice the storage space. Personal folders can also be password-protected, a potential problem if the password becomes unavailable when the person leaves.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.